From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 1F9AB63448 for ; Tue, 25 Aug 2020 00:10:29 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id F0D5820C76 for ; Tue, 25 Aug 2020 00:09:58 +0200 (CEST) Received: from mx0.it-functions.nl (mx0.it-functions.nl [178.32.167.210]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 2F67A20C69 for ; Tue, 25 Aug 2020 00:09:57 +0200 (CEST) Received: from [217.100.26.194] (helo=daruma-old.hachimitsu.nl) by mx0.it-functions.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1kAKez-0002yK-S4 for pve-devel@lists.proxmox.com; Tue, 25 Aug 2020 00:09:50 +0200 Received: from [192.168.254.32] by daruma-old.hachimitsu.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1kAKew-0006rW-QN for pve-devel@lists.proxmox.com; Tue, 25 Aug 2020 00:09:47 +0200 To: pve-devel@lists.proxmox.com References: <1877466395.127.1598159022900@webmail.proxmox.com> <292235591.128.1598159408132@webmail.proxmox.com> <15c9ed01-6e88-b3c6-6efd-cb5c881904fb@it-functions.nl> <169647259.135.1598192643864@webmail.proxmox.com> <4da8f252-3599-6af2-f398-3c7ac0010045@it-functions.nl> <41585d8d-d0be-3c71-b2fa-380731133fe7@it-functions.nl> <522191112.137.1598244794966@webmail.proxmox.com> <97fb389a-daae-2787-eac1-39ed2ac23be4@it-functions.nl> <494606189.360.1598284149700@webmail.proxmox.com> <890269350b55f29457cd32bc35911a66ebcd36f3.camel@junkyard.4t2.com> From: Stephan Leemburg Organization: IT Functions Message-ID: <08b63223-ba28-8c80-e72a-ccde8395bd15@it-functions.nl> Date: Tue, 25 Aug 2020 00:09:46 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <890269350b55f29457cd32bc35911a66ebcd36f3.camel@junkyard.4t2.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: nl X-Scan-Signature: 8cf16f592ff8df168bae9d36d41f2e16 X-GeoIP: NL X-Virus-Scanned: by clamav-new X-Scan-Signature: f5d440f3984c40bbeb358ba4f18381fa X-SPAM-LEVEL: Spam detection results: 0 AWL 0.119 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.381 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record T_SPF_PERMERROR 0.01 SPF: test of record failed (permerror) URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Subject: Re: [pve-devel] More than 10 interfaces in lxc containers X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Aug 2020 22:10:29 -0000 On 24-08-2020 18:14, Tom Weber wrote: > Am Montag, den 24.08.2020, 17:49 +0200 schrieb Dietmar Maurer: >>> On 08/24/2020 12:54 PM Stephan Leemburg >>> wrote: >>> >>> >>> On 24-08-2020 06:53, Dietmar Maurer wrote: >>>>> If I don't put a tag on the device, it seems to behave like a >>>>> trunk. So, >>>>> that would solve my problem. _If_ the hosts where openvswitch >>>>> enabled. >>>> I am unable to see why you need openvswitch for that? This also >>>> works with >>>> standard linux network. >>> Hi Dietmar, >>> >>> Oh, that is new for me. >>> >>> So, I can have a vlan aware traditional bridge in the firewall >>> that >>> receives tagged frames and at the same time have the clients on >>> the >>> specific 'vlans' receive non-tagged frames for their respective >>> pvid? >>> >>> How can this be configured in Proxmox? >> You do not not any special config on the pve host if you do all VLAN >> related >> stuff inside the VM. > You do realize that Stephan is talking about CT not VM? (althought I > don't think such a setup makes sense) > > Tom Thanks. I have done some research and experimenting on my test system. I was not aware of vlan capable bridging. But if I have this in my /etc/network/interfaces on a traditional bridge configured system, then I can also assign vlans to the hosts on vmbr1 Just like with openvswitch. auto lo iface lo inet loopback iface eth0 inet manual auto vmbr0 iface vmbr0 inet static     address 192.168.240.246     netmask 255.255.255.0     gateway 192.168.240.254     bridge_ports eth0     bridge_stp off     bridge_fd 0 auto vmbr1 iface vmbr1 inet manual     bridge-vlan-aware yes     bridge-vids 2-200     bridge-pvid 2     bridge_ports none     bridge_stp off     bridge_fd 0 Dietmar knows this, but I had to do my homework. So, it is more or less the same as with openvswitch. And it still is an intrusive change for my operational systems. So for now, while planning to do the migration to openvswitch, I took the easy way out in adding an additional interface in the /etc/pve/lxc/${CT}.conf file: lxc.net.10.type: veth lxc.net.10.link: vmbr5 lxc.net.10.veth.pair: veth1001i15 lxc.net.10.hwaddr: 00:CE:99:F9:BF:12 lxc.net.10.name: eth11 lxc.net.10.flags: up So, I have learned. Even though some think different about the 'shared network stack' firewall approach, it can work. Be it with ovs, vlan capable bridge or a workaround. Still (Dietmar?), bumping from 10 to 32 would not hurt anyone and can avoid long mail threads like this.. And 2^(10/2) is nicer than 10^1 isn't it? And there still is 10 in it ;-) Anyway. I will not bother you any longer on this  subject. Thank you all for your patience, replies and efforts. I have learned at least something new about vlan capable bridges and that Proxmox supports it. And I know tomorrow I will share this with some other senior Linux admin who has been using Proxmox for a long time that also did not know about this (as I also consulted with him). Kind regards, Stephan > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >